mvnForum 1.1 Cross Site Scripting

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

mvnForum Cross Site Scripting Vulnerability

Original release date: 2008-04-27

Last revised: 2008-05-06

Latest version:
http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt

Source: Christian Holler <http://users.own-hero.net/~decoder/>

Systems Affected:

mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum

Severity: Moderate

Overview:

An attacker who has the rights to start a new thread or to reply

to an existing one, is able to include javascript code using the topic,

that is executed when other users use the quick reply button shown

for every post.

This point of injection is possible because the topic text is part

of an "onclick" event used for the quick reply function and the

software only escapes characters that are typical for HTML cross

site script attacks. In this case, the single quote character is not

escaped.

I. Description

The list of standard functions for threads includes a typical feature

called "quick reply". For user convenience, each post has a button that

jumps to the form field allowing to send a quick reply, whilst changing

the topic text of the reply at the top of this form. This is accomplished

using javascript and the topic that is replied to. The source code for

this button looks like this:

<a href="#message" onclick="QuickReply('24','Re: Some thread topic');">

<img src="/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif"

border="0" alt="Quick reply to this post" title="Quick reply to this post"
/></a>

Because single quotes are not escaped in the topic context, it is possible

to break out of the second argument and execute arbitrary javascript code

in the client's browser.

II. Impact

Any user that is allowed to post anywhere can use this flaw to steal

sensitive information such as cookies from other users. Especially

because the forum uses simple reusable MD5 hashes in their cookies,

this attack makes it possible to gain unauthorized access to other

user accounts.

However, this attack relies on the user to click the quick reply

button and should therefore be considered only a moderate risk.

III. Proof of concept

Creating a new thread or replying to a thread with the following subject

will demonstrate the problem after hitting the "quick reply" button above

the post text.

Test', alert('XSS ALERT') , '

IV. Solution

At the time of writing, a fix is available in CVS.

http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/m
vnforum/user/viewthread.jsp?r1=1.316&r2=1.317

Timeline:

2008-04-27: mvnForum authors informed

2008-05-01: Fix available in CVS

2008-05-06: Vulnerability notice published

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.6 (GNU/Linux)

iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S

FWggJDc19FDPXiiyS+AP9iU=

=Tixo

-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

mvnForum 1.1 Cross Site Scripting